How to use NoScript 10

NoScript (by Giorgio Maone) is one of the most popular security extension when it comes to Firefox, in this quick tutorial I talk about its basics and show some configurations to work with it on a daily basis.

logo-xmas
Official Logo (X-Mas Edition) Picture: noscript.net

 

Levels

Each domain in NoScript 10 has a trust level. By default, each domain is under the Default trust level but you may find your old NoScript domains already under the Trusted level. These are both familiar to previous NoScript users: the default is not to allow JavaScript, but domains can be explicitly trusted. NoScript 10 also adds two more levels: Untrusted and Custom.

NoScript Overview
Though the UI makes this a bit unclear, these trust levels are columns. For each domain, one button is selected, meaning one trust level.
NoScript Trust Level
Icons to toggle several options

Working with Trust Levels

Each trust level can be edited to describe what happens when you set a domain to that level. For Default, Trusted, and Untrusted, that configuration is global. That is you say that the Default trust level should trust fonts (by checking the fonts checkbox), but nothing else, then every domain in that trust level will have that setting. When you modify the Custom trust level, it’s per-domain. This is the misleading part, due to the UI. To edit a trust level, you need to set a domain to that trust level and then click on the trust level again, once it expands. Even though you clicked on a specific domain to set the Default, Trusted, or Untrusted configuration, note that it applies to all domains with that trust level.

Trust levels
Similar like uMatrix you can configure each behavior manually to restrict or allow on a per-domain or global basis

Working with some ‘daily usable’ defaults

NoScript 10 allows for more control over what’s filtered. Scripts, objects, media, frames, fonts, WebGL, fetch, and other things can all be filtered. Since you’re using NoScript for privacy, I recommend changing your Default trust level to uncheck all items. If you trust a domain completely, add it to the Trusted level. If you only want some items from it, like fonts and WebGL, then use a Custom trust level for that domain.

Defaults
Check or uncheck the things you want to allow/disallow

Global Top-Level rules

When browsing sites and using NoScript 10, you’ll likely notice that a domain will show up multiple times within the NoScript menu. This is because NoScript 10 allows you to modify the trust level of the specific domain used (such as blog.medium.com), as well as the entire top-level domain (such as medium.com). If you set a top-level domain to a specific trust level, that trust level will apply to all sub-domains as well. This is very handy for marking entire ad/tracking domains as Untrusted.

Medium NoScript
Do note, the default is to actually ALLOW scripts.

Permanent trust levels

By default, any changes made to trust levels are temporary. In order to permanently set a domain’s trust level, you also need to click the big clock which appears within the Trusted button. If the clock is very little, then the trust level is already permanent.

Debug

At the bottom, there’s a debug button. Select it, and this will open a small text editor, inside which you can change the JSON configuration for Noscript. You can edit the default state of each scope as well as delete whitelisted entries.

// Example Debug

{
“DEFAULT”: {
“capabilities”: [
“frame”,
“other”,
“fetch”,
“media”,
“object”
]
},
“TRUSTED”: {
“capabilities”: [
“script”,
“object”,
“media”,
“frame”,
“font”,
“webgl”,
“fetch”,
“other”
]
},

Above I have deleted the “script” line from the DEFAULT scope. You can also do that through the UI. When you select any which domain, untick the script box, and this will apply for all websites that are marked with the DEFAULT scope option. Not intuitive, I know.

“sites”: {
“trusted”: [
“§:addons.mozilla.org”,
“§:afx.ms”,
“§:ajax.aspnetcdn.com”,
“§:ajax.googleapis.com”,
“§:bootstrapcdn.com”,
“§:code.jquery.com”,

If you don’t want to trust some of these, just delete them. As you can see below, the UNTRUSTED scope does not have any elements (capabilities), nor sites at the moment, and custom is also empty.

noscript-10-json-edit

noscript-10-sanitized-list

Temporarily allow

noscript-10-temp-allow
Notice the clock icon to the right of text that reads CUSTOM.

The remedy to this issue SHOULD be the use of the temporarily allow option, which does exist. Under Custom, there’s a small clock like button. Once you select the desired toggle state for the eight elements, click this button. This should make the permissions temporary and they should revert back to the original once you close and reopen the browser.

temp NoScript
NoScript 5.x let you temp-allow all via middle click on the extension icon – the behavior seems to be largely the same as in previous versions.

 

There are still some fine nuances, but it is the add-on that we love, care and need to warrant using Firefox. This is a great development.

Trusting HTTPS only

NoScript 10 provides the ability to trust a domain only if it’s through a secure connection. You can tell if this is enabled by whether or not the lock, which appears on that domain’s row, is green or red. If it’s red, then the domain will be trusted even through unencrypted connections. This is a concern, since unencrypted connections are vulnerable to MITM attacks and you may be trusting arbitrary and nefarious JavaScript. I recommend making sure the lock is always green (you can click on the lock to toggle it).

 

For previous NoScript users, I also recommend going back through your whole trusted list and setting all domains to have a green lock. You can get to that list by clicking the options button within the NoScript menu. There isn’t an automatic process for marking them all green yet, but it only took me 10 minutes or so to both ensure all locks are green and do some cleaning of old domains I no longer need to trust.

Green Rules (HTTPS)

The remaining UI

With all of that covered, the only two remaining buttons are for revoking all temporary permissions and temporarily trusting the whole page. You can mouse over each of them to see a tooltip for what they do; it’s analogous to the previous NoScript’s behavior. At this point, you know all you need to effectively use the NoScript 10 extension.

Conclusion

NoScript 10 has come a long way in the past month, but its UI could certainly be improved. I think moving the DefaultTrusted, and Untrusted configuration to the settings menu would make things a lot less confusing. I also think that more text in the UI would allow new users to pick things up more quickly. Lastly, Untrusted should be called Distrusted, but now we’re just splitting hairs.

Advertisements

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: